PCI Compliance Scan Failure (FAQ)

When scanning your onMessage site for PCI Compliance, you may encounter some errors. This FAQ also describes which URL to scan.

Article
Number:23795

Products:

onMessage

Core

1. If my school has an onMessage website, what URL should I scan?

The correct URL to scan if you have a onMessage website is your login domain, for example https://schoolname.myschoolapp.com. You should also supply your scan vendor with the URL of your giving page (or any page that accepts credit cards).

Since all SSL activity and no credit card transactions happen on your front end website, the public URL of your website does not need to be scanned for PCI purposes.

2. If my school has a Podium website, what URL should I scan?

The correct URL to scan if you have a Podium website is your public domain with "www" (for example http://www.example.com).

This may happen if you scan the root domain of your website (example.com). If configured correctly, the root domain DNS for your public URL points at a redirect server that redirects all requests for the root domain (example.com) to the www record (www.example.com).

This is not a failure of the scan so much as it is scanning the wrong URL.

4. My PCI Scan failed with the error: "SSL Certificate Expiry"

This may happen if an onMessage school scans their public URL (www.example.com). Beginning in November 2014 WhippleHill stopped renewing certificates for onMessage front end websites because all SSL transactions now happen through either myschoolapp.com or onwhipplehill.com. You can read more about that change in our SSL White Paper.

This is not a failure of the scan so much as it is scanning the wrong URL if you have an onMessage site.

For schools that still have a Podium web site, this particular error should be investigated by WhippleHill support.

This may happen if an onMessage school scans their public URL (www.example.com). Beginning in November 2014 WhippleHill stopped renewing certificates for onMessage front end websites because all SSL transactions now happen through either myschoolapp.com or onwhipplehill.com. You can read more about that change in our SSL White Paper.

This is not a failure of the scan so much as it is scanning the wrong URL if you have an onMessage site.

For schools that still have a Podium web site, this particular error should be investigated by WhippleHill support.

Note: NATIVE SSL ciphers on affected versions are not vulnerable. However, some vulnerability scanners may generate false positive reports when run against BIG-IP virtual servers that are configured to use ciphers supported by the NATIVE SSL stack. This includes all ciphers enabled by the default cipher string.

7. My PCI Scan Failed with the Error: TLSv1.0 Supported

If the Trustwave Vulnerability Scan Report gives a failing PCI compliance status because of "TLSv1.0 Supported" as the vulnerability noted, it is because of support for older browsers. The following exception may read: "Note to scan customer: This vulnerability is not recognized in the National Vulnerability Database. TLS v1.0 violates PCI DSS and is considered an automatic failing condition."

At this time TLSv1.0 includes support of older browsers and disabling it would cause issues with a good number of the browsers versions your constituents still use to access the site.

It says the following: Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. We will begin investigating whether it is possible for us to remove TLSv1.0 as an option and what impact that may have on older browsers.

To address this PCI scan failure please contact Blackbaud Product support for assistance.

8. I can't connect to SSL pages from older browsers.

On 7/1/15 Blackbaud will be making a change to how SSL functions on all Podium and “ON” Products in response to a change made to the PCI DSS Standard in April 2015. The change involves disabling TLS 1.0 for Podium and "ON" Products on July 1, 2015. This change will also improve PCI scan results.

When TLS 1.0 is disabled, some older browsers will no longer have access to the App or Podium.

9. What Kind of Error Message will I see if my browser does not support TLS 1.1 or 1.2?

This is an example error from Internet Explorer v8 on Windows 7 with TLS 1.1 and 1.2 disabled.

10. How to Enable TLS 1.1 and 1.2 on Internet Explorer version 8-10 on Windows 7

After the TLS change described above is made, customers connecting with Internet Explorer version 8 to 10 on Windows 7 will need to enable TLS 1.1 and 1.2 support in their browser manually. In those browser versions it is disabled by default. Also, keep in mind that you may have other issues unrelated to SSL when using older browsers such as Internet Explorer versions 8 to 10.

To enable TLS 1.1 and 1.2:

Open Internet Explorer.

Click on the "Tools" menu.

Select "Internet Options"

Select the "Advanced" tab and scroll to the bottom.

Using the image below, disable older and less secure versions of SSL and TLS (in red).